{"data":{"id":"8ba3ef76-d611-4440-be8c-0eb76515af42","title":"GHSA-vc24-j8c5-2vw4: OpenTelemetry.Resources.Azure has an unbounded HTTP response body read","summary":"OpenTelemetry.Resources.Azure has a vulnerability where it reads unlimited amounts of data from Azure VM metadata service responses into memory, allowing an attacker to cause the application to crash by sending extremely large responses (a denial of service attack where the system runs out of memory). This affects applications using the Azure VM resource detector that connect to a compromised or intercepted metadata endpoint.","solution":"Fixed in OpenTelemetry.Resources.Azure version 1.15.0-beta.2. The fix introduces limits to HttpClient requests so that response bodies are streamed rather than loaded entirely into memory, with responses greater than 4 MiB being ignored. As workarounds, you can disable the Azure VM resource detector or use network-level controls (firewall rules, mTLS, or service mesh) to prevent Man-in-the-Middle attacks on the Azure VM instance metadata endpoint.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-vc24-j8c5-2vw4","publishedAt":"2026-04-29T18:30:51.000Z","cveId":"CVE-2026-41483","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["OpenTelemetry.Resources.Azure@<= 1.15.0-beta.1 (fixed: 1.15.1-beta.1)"],"affectedVendors":[],"affectedVendorsRaw":["OpenTelemetry"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-29T18:30:51.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}